It was actually the "same" account number at a different Barclays branch. The account-holder may even have been largely unaware that the sort-code was a critical part of the unique identifier for his Barclays account.
Yeah, so the problem is that the account number plus short code had no checksum validation. This is the banks fault for implementing a rubbish account system. A proper system would look more like this sudo code:
where 1234567890 is the account number, 1234 is the short code, and then 6 characters are typed in at the end are a checksum.
The short code is unique. So if you type in the correct checksum but not the correct short-code the fully-qualified unique identifier does not pass the validation step. Like-wise, if you type in the correct short-code but not the checksum then the unique identifier also does not pass the validation step. Thus, the user is protected against typing in an incorrect short code.
UK Sort Code + Account Numbers _do_ have check digits (Its not precisely a check digit as such: they have rules that they have to obey to be valid). Because of the age of the system, there isn't one _consistent_ rule for all sort code and account numbers, but instead a document listing the various methods and a couple of tables saying which rule(s) to apply and how
In most cases the sort code is included in the checksum
6 digits are far, far too extreme from a usability perspective. We have IBANs as world wide unique account identifiers. They are very unwieldy with up to 34 digits, depending on country. And only 2 of them are checksum digits. Most mistakes are one or two wromg digits or missing/extra digits and that can be caught with 2 properly designed checksum digits.
1234567890-1234-checksum(1234567890-1234).substring(0, 6)
where 1234567890 is the account number, 1234 is the short code, and then 6 characters are typed in at the end are a checksum.
The short code is unique. So if you type in the correct checksum but not the correct short-code the fully-qualified unique identifier does not pass the validation step. Like-wise, if you type in the correct short-code but not the checksum then the unique identifier also does not pass the validation step. Thus, the user is protected against typing in an incorrect short code.